---

Manual Reference Pages  - RC (1)

---

rc - the shoki radix clusterer

CONTENTS

Synopsis
Description
Options
Files
Authors
Bugs

rc [-a clusterfile] [-c max_count] [-C conf_file] [-d density] [-D chrdir] [-E stop] [-f] [-F filterfile] [-L logfname] [-r dumpfile] [-R radix] [-s snaplen] [-S start] [-U luser] [-v verbosity] [bpf_filter]

rc reads packets from a specified dumpfile, feeds them through a clustering algorithm, and outputs the resulting clusters.

Right now, this is really research-grade software, and is probably only of interest to folks twiddling with the code.

rc shares its clustering code with hustler(1), so a cluster config file output by hustler(1) can be passed to rc via the -a flag.

-a clusterfile
	Read cluster configuration information from clusterfile.
-c max_count
	Only read max_count packets.
-C conf_file
	Read an alternate config file. By default, /usr/local/shoki/etc/rc.conf will be used.
-d density
	Sets the clustering density threshold to density.
-D chrdir	If specified, will do a chroot(2) to chrdir
-E start	Only look at packets with timestamps on or before start. A value of seconds after the start of the epoch is assumed. See also -S.
-f	Attempt fragment reassembly. Consult the README and/or the source for more information about how frag reassembly works.
-F filterfile
	Read filter expressions from filterfile. Consult the shoki.filters(5) manpage for details of the filter format.
-h	Display a usage message and exit.
-L logfile
	For filter methods that support logging to a file, output will be sent to logfile. Use ‘-’ (without the quotes) for stdout.
-r dumpfile
	Read packets from dumpfile. The specified file must be a libpcap-style dumpfile. It may be gzip’d.
-R radix	Sets the clustering radix to radix.
-s snaplen
	Sets the default snaplen. If not specified, 65535 is assumed. Individual filter rules can specify a different snaplenfor packets matching that filter.
-S start	Only packets with timestamps on or after start will be used. A value of seconds after the start of the epoch is assumed. See also -E.
-U luser	If specified, setuid/setgid to specified luser.
-v verbosity
	Set the verbosity level to verbose. If this is nonzero, then source IP addresses whose traffic matched no fingerprints will also be printed.

/usr/local/shoki/etc/rc.conf	rc config file.

.An Stephen P. Berry <spb@meshuggeneh.net>

More information can be found at the shoki homepage:

Check the README at the top of the source tree.